我有一个具有多个网络接口的环境:eth0和vpn1。我正在运行docker,它有一个iptables伪装规则来伪装来自的流量172.17.0.0/16:-A POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE
该规则目前允许来自的流量172.17.0.0/16通过 到达开放互联网eth0。
当前设置如下(启用 VPN):
$ ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 fd01:db8:1111::3/128 scope global
valid_lft forever preferred_lft forever
inet6 fd01:db8:1111::2/128 scope global
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
link/ether 60:45:bd:84:92:d9 brd ff:ff:ff:ff:ff:ff
inet 10.1.0.76/16 metric 100 brd 10.1.255.255 scope global eth0
valid_lft forever preferred_lft forever
inet6 fe80::6245:bdff:fe84:92d9/64 scope link
valid_lft forever preferred_lft forever
3: docker0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default
link/ether 02:42:51:89:34:f2 brd ff:ff:ff:ff:ff:ff
inet 172.17.0.1/16 brd 172.17.255.255 scope global docker0
valid_lft forever preferred_lft forever
6: vpn1: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1280 qdisc mq state UNKNOWN group default qlen 500
link/none
inet 172.16.0.2/32 scope global vpn1
valid_lft forever preferred_lft forever
inet6 2606:4700:110:8276:300:469c:7cb9:760a/128 scope global
valid_lft forever preferred_lft forever
inet6 fe80::427:bcd6:837f:e0e1/64 scope link stable-privacy
valid_lft forever preferred_lft forever
$ ip -br link
lo UNKNOWN 00:00:00:00:00:00 <LOOPBACK,UP,LOWER_UP>
eth0 UP 60:45:bd:84:92:d9 <BROADCAST,MULTICAST,UP,LOWER_UP>
docker0 DOWN 02:42:51:89:34:f2 <NO-CARRIER,BROADCAST,MULTICAST,UP>
vpn1 UNKNOWN <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP>
$ ip -4 -br addr
lo UNKNOWN 127.0.0.1/8
eth0 UP 10.1.0.76/16 metric 100
docker0 DOWN 172.17.0.1/16
vpn1 UNKNOWN 172.16.0.2/32
$ ip route
default via 10.1.0.1 dev eth0 proto dhcp src 10.1.0.76 metric 100
10.1.0.0/16 dev eth0 proto kernel scope link src 10.1.0.76 metric 100
10.1.0.1 dev eth0 proto dhcp scope link src 10.1.0.76 metric 100
168.63.129.16 via 10.1.0.1 dev eth0 proto dhcp src 10.1.0.76 metric 100
169.254.169.254 via 10.1.0.1 dev eth0 proto dhcp src 10.1.0.76 metric 100
172.17.0.0/16 dev docker0 proto kernel scope link src 172.17.0.1 linkdown
$ ip rule
0: from all lookup local
32765: not from all fwmark 0x100cf lookup 65743
32766: from all lookup main
32767: from all lookup default
$ nft list ruleset
table ip security {
chain OUTPUT {
type filter hook output priority 150; policy accept;
meta l4proto tcp ip daddr 168.63.129.16 tcp dport 53 counter packets 0 bytes 0 accept
meta l4proto tcp ip daddr 168.63.129.16 skuid 0 counter packets 463 bytes 198542 accept
meta l4proto tcp ip daddr 168.63.129.16 ct state invalid,new counter packets 0 bytes 0 drop
}
}
table ip nat {
chain DOCKER {
iifname "docker0" counter packets 0 bytes 0 return
}
chain POSTROUTING {
type nat hook postrouting priority srcnat; policy accept;
oifname != "docker0" ip saddr 172.17.0.0/16 counter packets 0 bytes 0 masquerade
}
chain PREROUTING {
type nat hook prerouting priority dstnat; policy accept;
fib daddr type local counter packets 0 bytes 0 jump DOCKER
}
chain OUTPUT {
type nat hook output priority -100; policy accept;
ip daddr != 127.0.0.0/8 fib daddr type local counter packets 0 bytes 0 jump DOCKER
}
}
table ip filter {
chain DOCKER {
}
chain DOCKER-ISOLATION-STAGE-1 {
iifname "docker0" oifname != "docker0" counter packets 0 bytes 0 jump DOCKER-ISOLATION-STAGE-2
counter packets 0 bytes 0 return
}
chain DOCKER-ISOLATION-STAGE-2 {
oifname "docker0" counter packets 0 bytes 0 drop
counter packets 0 bytes 0 return
}
chain FORWARD {
type filter hook forward priority filter; policy drop;
counter packets 0 bytes 0 jump DOCKER-USER
counter packets 0 bytes 0 jump DOCKER-ISOLATION-STAGE-1
oifname "docker0" ct state related,established counter packets 0 bytes 0 accept
oifname "docker0" counter packets 0 bytes 0 jump DOCKER
iifname "docker0" oifname != "docker0" counter packets 0 bytes 0 accept
iifname "docker0" oifname "docker0" counter packets 0 bytes 0 accept
}
chain DOCKER-USER {
counter packets 0 bytes 0 return
}
chain OUTPUT {
type filter hook output priority filter; policy accept;
ip daddr 5.34.183.68 counter packets 0 bytes 0 drop
ip daddr 95.181.164.182 counter packets 0 bytes 0 drop
}
}
table inet vpn {
chain input {
type filter hook input priority filter; policy drop;
iif "lo" accept
iif "vpn1" accept
meta nfproto ipv4 udp sport 67 udp dport 68 accept
ip6 saddr fe80::/10 ip6 daddr fe80::/10 udp sport 547 udp dport 546 accept
meta l4proto ipv6-icmp accept
ip protocol icmp accept
ip saddr 162.159.137.105 tcp sport 443 accept
ip saddr 162.159.138.105 tcp sport 443 accept
ip6 saddr 2606:4700:7::a29f:8969 tcp sport 443 accept
ip6 saddr 2606:4700:7::a29f:8a69 tcp sport 443 accept
ip saddr 162.159.193.2 accept
ip6 saddr 2606:4700:100::a29f:c102 accept
ip saddr 162.159.36.1 accept
ip saddr 192.0.0.0/2 accept
ip saddr 32.0.0.0/3 accept
ip saddr 64.0.0.0/3 accept
ip saddr 128.0.0.0/3 accept
ip saddr 16.0.0.0/4 accept
ip saddr 112.0.0.0/4 accept
ip saddr 176.0.0.0/4 accept
ip saddr 0.0.0.0/5 accept
ip saddr 104.0.0.0/5 accept
ip saddr 168.0.0.0/5 accept
ip saddr 12.0.0.0/6 accept
ip saddr 96.0.0.0/6 accept
ip saddr 164.0.0.0/6 accept
ip saddr 8.0.0.0/7 accept
ip saddr 102.0.0.0/7 accept
ip saddr 160.0.0.0/7 accept
ip saddr 11.0.0.0/8 accept
ip saddr 101.0.0.0/8 accept
ip saddr 163.0.0.0/8 accept
ip saddr 100.128.0.0/9 accept
ip saddr 162.0.0.0/9 accept
ip saddr 100.0.0.0/10 accept
ip saddr 162.192.0.0/10 accept
ip saddr 162.160.0.0/11 accept
ip saddr 162.128.0.0/12 accept
ip saddr 162.144.0.0/13 accept
ip saddr 162.152.0.0/14 accept
ip saddr 162.156.0.0/15 accept
ip saddr 162.159.36.1 accept
ip saddr 162.159.193.2 accept
ip6 saddr 8000::/1 accept
ip6 saddr 4000::/2 accept
ip6 saddr ::/3 accept
ip6 saddr 3000::/4 accept
ip6 saddr 2800::/5 accept
ip6 saddr 2000::/6 accept
ip6 saddr 2400::/7 accept
ip6 saddr 2700::/8 accept
ip6 saddr 2680::/9 accept
ip6 saddr 2640::/10 accept
ip6 saddr 2620::/11 accept
ip6 saddr 2610::/12 accept
ip6 saddr 2608::/13 accept
ip6 saddr 2600::/14 accept
ip6 saddr 2604::/15 accept
ip6 saddr 2607::/16 accept
ip6 saddr 2606:8000::/17 accept
ip6 saddr 2606::/18 accept
ip6 saddr 2606:6000::/19 accept
ip6 saddr 2606:5000::/20 accept
ip6 saddr 2606:4800::/21 accept
ip6 saddr 2606:4000::/22 accept
ip6 saddr 2606:4400::/23 accept
ip6 saddr 2606:4600::/24 accept
ip6 saddr 2606:4780::/25 accept
ip6 saddr 2606:4740::/26 accept
ip6 saddr 2606:4720::/27 accept
ip6 saddr 2606:4710::/28 accept
ip6 saddr 2606:4708::/29 accept
ip6 saddr 2606:4704::/30 accept
ip6 saddr 2606:4702::/31 accept
ip6 saddr 2606:4701::/32 accept
ip6 saddr 2606:4700:8000::/33 accept
ip6 saddr 2606:4700:4000::/34 accept
ip6 saddr 2606:4700:2000::/35 accept
ip6 saddr 2606:4700:1000::/36 accept
ip6 saddr 2606:4700:800::/37 accept
ip6 saddr 2606:4700:400::/38 accept
ip6 saddr 2606:4700:200::/39 accept
ip6 saddr 2606:4700:100::/40 accept
ip6 saddr 2606:4700:80::/41 accept
ip6 saddr 2606:4700:40::/42 accept
ip6 saddr 2606:4700:20::/43 accept
ip6 saddr 2606:4700:10::/44 accept
ip6 saddr 2606:4700:8::/45 accept
ip6 saddr 2606:4700::/46 accept
ip6 saddr 2606:4700:4::/47 accept
ip6 saddr 2606:4700:6::/48 accept
ip6 saddr 2606:4700:7:8000::/49 accept
ip6 saddr 2606:4700:7:4000::/50 accept
ip6 saddr 2606:4700:7:2000::/51 accept
ip6 saddr 2606:4700:7:1000::/52 accept
ip6 saddr 2606:4700:7:800::/53 accept
ip6 saddr 2606:4700:7:400::/54 accept
ip6 saddr 2606:4700:7:200::/55 accept
ip6 saddr 2606:4700:7:100::/56 accept
ip6 saddr 2606:4700:7:80::/57 accept
ip6 saddr 2606:4700:7:40::/58 accept
ip6 saddr 2606:4700:7:20::/59 accept
ip6 saddr 2606:4700:7:10::/60 accept
ip6 saddr 2606:4700:7:8::/61 accept
ip6 saddr 2606:4700:7:4::/62 accept
ip6 saddr 2606:4700:7:2::/63 accept
ip6 saddr 2606:4700:7:1::/64 accept
ip6 saddr 2606:4700:7:0:8000::/65 accept
ip6 saddr 2606:4700:7:0:4000::/66 accept
ip6 saddr 2606:4700:7:0:2000::/67 accept
ip6 saddr 2606:4700:7:0:1000::/68 accept
ip6 saddr 2606:4700:7:0:800::/69 accept
ip6 saddr 2606:4700:7:0:400::/70 accept
ip6 saddr 2606:4700:7:0:200::/71 accept
ip6 saddr 2606:4700:7:0:100::/72 accept
ip6 saddr 2606:4700:7:0:80::/73 accept
ip6 saddr 2606:4700:7:0:40::/74 accept
ip6 saddr 2606:4700:7:0:20::/75 accept
ip6 saddr 2606:4700:7:0:10::/76 accept
ip6 saddr 2606:4700:7:0:8::/77 accept
ip6 saddr 2606:4700:7:0:4::/78 accept
ip6 saddr 2606:4700:7:0:2::/79 accept
ip6 saddr 2606:4700:7:0:1::/80 accept
ip6 saddr 2606:4700:7::8000:0:0/81 accept
ip6 saddr 2606:4700:7::4000:0:0/82 accept
ip6 saddr 2606:4700:7::2000:0:0/83 accept
ip6 saddr 2606:4700:7::1000:0:0/84 accept
ip6 saddr 2606:4700:7::800:0:0/85 accept
ip6 saddr 2606:4700:7::400:0:0/86 accept
ip6 saddr 2606:4700:7::200:0:0/87 accept
ip6 saddr 2606:4700:7::100:0:0/88 accept
ip6 saddr 2606:4700:7::80:0:0/89 accept
ip6 saddr 2606:4700:7::40:0:0/90 accept
ip6 saddr 2606:4700:7::20:0:0/91 accept
ip6 saddr 2606:4700:7::10:0:0/92 accept
ip6 saddr 2606:4700:7::8:0:0/93 accept
ip6 saddr 2606:4700:7::4:0:0/94 accept
ip6 saddr 2606:4700:7::2:0:0/95 accept
ip6 saddr 2606:4700:7::1:0:0/96 accept
ip6 saddr 2606:4700:7::/97 accept
ip6 saddr 2606:4700:7::c000:0/98 accept
ip6 saddr 2606:4700:7::8000:0/99 accept
ip6 saddr 2606:4700:7::b000:0/100 accept
ip6 saddr 2606:4700:7::a800:0/101 accept
ip6 saddr 2606:4700:7::a400:0/102 accept
ip6 saddr 2606:4700:7::a000:0/103 accept
ip6 saddr 2606:4700:7::a300:0/104 accept
ip6 saddr 2606:4700:7::a200:0/105 accept
ip6 saddr 2606:4700:7::a2c0:0/106 accept
ip6 saddr 2606:4700:7::a2a0:0/107 accept
ip6 saddr 2606:4700:7::a280:0/108 accept
ip6 saddr 2606:4700:7::a290:0/109 accept
ip6 saddr 2606:4700:7::a298:0/110 accept
ip6 saddr 2606:4700:7::a29c:0/111 accept
ip6 saddr 2606:4700:7::a29e:0/112 accept
ip6 saddr 2606:4700:7::a29f:0/113 accept
ip6 saddr 2606:4700:7::a29f:c000/114 accept
ip6 saddr 2606:4700:7::a29f:a000/115 accept
ip6 saddr 2606:4700:7::a29f:9000/116 accept
ip6 saddr 2606:4700:7::a29f:8000/117 accept
ip6 saddr 2606:4700:7::a29f:8c00/118 accept
ip6 saddr 2606:4700:7::a29f:8800/120 accept
ip6 saddr 2606:4700:7::a29f:8b00/120 accept
ip6 saddr 2606:4700:7::a29f:8980/121 accept
ip6 saddr 2606:4700:7::a29f:8a80/121 accept
ip6 saddr 2606:4700:7::a29f:8900/122 accept
ip6 saddr 2606:4700:7::a29f:8a00/122 accept
ip6 saddr 2606:4700:7::a29f:8960/123 accept
ip6 saddr 2606:4700:7::a29f:8a60/123 accept
ip6 saddr 2606:4700:7::a29f:8950/124 accept
ip6 saddr 2606:4700:7::a29f:8a50/124 accept
ip6 saddr 2606:4700:7::a29f:8948/125 accept
ip6 saddr 2606:4700:7::a29f:8a48/125 accept
ip6 saddr 2606:4700:7::a29f:8944/126 accept
ip6 saddr 2606:4700:7::a29f:8a44/126 accept
ip6 saddr 2606:4700:7::a29f:8942/127 accept
ip6 saddr 2606:4700:7::a29f:8a42/127 accept
ip6 saddr 2606:4700:7::a29f:8940 accept
ip6 saddr 2606:4700:7::a29f:8a40 accept
}
chain output {
type filter hook output priority filter; policy drop;
oif "lo" accept
oif "vpn1" goto tun
ip saddr 0.0.0.0 ip daddr 255.255.255.255 udp sport 68 udp dport 67 accept
ip6 saddr fe80::/10 ip6 daddr ff02::1:2 udp sport 546 udp dport 547 accept
ip6 saddr fe80::/10 ip6 daddr ff05::1:3 udp sport 546 udp dport 547 accept
meta l4proto ipv6-icmp accept
ip daddr 162.159.137.105 tcp dport 443 accept
ip daddr 162.159.138.105 tcp dport 443 accept
ip6 daddr 2606:4700:7::a29f:8969 tcp dport 443 accept
ip6 daddr 2606:4700:7::a29f:8a69 tcp dport 443 accept
ip daddr 162.159.193.2 accept
ip6 daddr 2606:4700:100::a29f:c102 accept
ip daddr 162.159.36.1 accept
ip daddr 192.0.0.0/2 accept
ip daddr 32.0.0.0/3 accept
ip daddr 64.0.0.0/3 accept
ip daddr 128.0.0.0/3 accept
ip daddr 16.0.0.0/4 accept
ip daddr 112.0.0.0/4 accept
ip daddr 176.0.0.0/4 accept
ip daddr 0.0.0.0/5 accept
ip daddr 104.0.0.0/5 accept
ip daddr 168.0.0.0/5 accept
ip daddr 12.0.0.0/6 accept
ip daddr 96.0.0.0/6 accept
ip daddr 164.0.0.0/6 accept
ip daddr 8.0.0.0/7 accept
ip daddr 102.0.0.0/7 accept
ip daddr 160.0.0.0/7 accept
ip daddr 11.0.0.0/8 accept
ip daddr 101.0.0.0/8 accept
ip daddr 163.0.0.0/8 accept
ip daddr 100.128.0.0/9 accept
ip daddr 162.0.0.0/9 accept
ip daddr 100.0.0.0/10 accept
ip daddr 162.192.0.0/10 accept
ip daddr 162.160.0.0/11 accept
ip daddr 162.128.0.0/12 accept
ip daddr 162.144.0.0/13 accept
ip daddr 162.152.0.0/14 accept
ip daddr 162.156.0.0/15 accept
ip daddr 162.159.36.1 accept
ip daddr 162.159.193.2 accept
ip6 daddr 8000::/1 accept
ip6 daddr 4000::/2 accept
ip6 daddr ::/3 accept
ip6 daddr 3000::/4 accept
ip6 daddr 2800::/5 accept
ip6 daddr 2000::/6 accept
ip6 daddr 2400::/7 accept
ip6 daddr 2700::/8 accept
ip6 daddr 2680::/9 accept
ip6 daddr 2640::/10 accept
ip6 daddr 2620::/11 accept
ip6 daddr 2610::/12 accept
ip6 daddr 2608::/13 accept
ip6 daddr 2600::/14 accept
ip6 daddr 2604::/15 accept
ip6 daddr 2607::/16 accept
ip6 daddr 2606:8000::/17 accept
ip6 daddr 2606::/18 accept
ip6 daddr 2606:6000::/19 accept
ip6 daddr 2606:5000::/20 accept
ip6 daddr 2606:4800::/21 accept
ip6 daddr 2606:4000::/22 accept
ip6 daddr 2606:4400::/23 accept
ip6 daddr 2606:4600::/24 accept
ip6 daddr 2606:4780::/25 accept
ip6 daddr 2606:4740::/26 accept
ip6 daddr 2606:4720::/27 accept
ip6 daddr 2606:4710::/28 accept
ip6 daddr 2606:4708::/29 accept
ip6 daddr 2606:4704::/30 accept
ip6 daddr 2606:4702::/31 accept
ip6 daddr 2606:4701::/32 accept
ip6 daddr 2606:4700:8000::/33 accept
ip6 daddr 2606:4700:4000::/34 accept
ip6 daddr 2606:4700:2000::/35 accept
ip6 daddr 2606:4700:1000::/36 accept
ip6 daddr 2606:4700:800::/37 accept
ip6 daddr 2606:4700:400::/38 accept
ip6 daddr 2606:4700:200::/39 accept
ip6 daddr 2606:4700:100::/40 accept
ip6 daddr 2606:4700:80::/41 accept
ip6 daddr 2606:4700:40::/42 accept
ip6 daddr 2606:4700:20::/43 accept
ip6 daddr 2606:4700:10::/44 accept
ip6 daddr 2606:4700:8::/45 accept
ip6 daddr 2606:4700::/46 accept
ip6 daddr 2606:4700:4::/47 accept
ip6 daddr 2606:4700:6::/48 accept
ip6 daddr 2606:4700:7:8000::/49 accept
ip6 daddr 2606:4700:7:4000::/50 accept
ip6 daddr 2606:4700:7:2000::/51 accept
ip6 daddr 2606:4700:7:1000::/52 accept
ip6 daddr 2606:4700:7:800::/53 accept
ip6 daddr 2606:4700:7:400::/54 accept
ip6 daddr 2606:4700:7:200::/55 accept
ip6 daddr 2606:4700:7:100::/56 accept
ip6 daddr 2606:4700:7:80::/57 accept
ip6 daddr 2606:4700:7:40::/58 accept
ip6 daddr 2606:4700:7:20::/59 accept
ip6 daddr 2606:4700:7:10::/60 accept
ip6 daddr 2606:4700:7:8::/61 accept
ip6 daddr 2606:4700:7:4::/62 accept
ip6 daddr 2606:4700:7:2::/63 accept
ip6 daddr 2606:4700:7:1::/64 accept
ip6 daddr 2606:4700:7:0:8000::/65 accept
ip6 daddr 2606:4700:7:0:4000::/66 accept
ip6 daddr 2606:4700:7:0:2000::/67 accept
ip6 daddr 2606:4700:7:0:1000::/68 accept
ip6 daddr 2606:4700:7:0:800::/69 accept
ip6 daddr 2606:4700:7:0:400::/70 accept
ip6 daddr 2606:4700:7:0:200::/71 accept
ip6 daddr 2606:4700:7:0:100::/72 accept
ip6 daddr 2606:4700:7:0:80::/73 accept
ip6 daddr 2606:4700:7:0:40::/74 accept
ip6 daddr 2606:4700:7:0:20::/75 accept
ip6 daddr 2606:4700:7:0:10::/76 accept
ip6 daddr 2606:4700:7:0:8::/77 accept
ip6 daddr 2606:4700:7:0:4::/78 accept
ip6 daddr 2606:4700:7:0:2::/79 accept
ip6 daddr 2606:4700:7:0:1::/80 accept
ip6 daddr 2606:4700:7::8000:0:0/81 accept
ip6 daddr 2606:4700:7::4000:0:0/82 accept
ip6 daddr 2606:4700:7::2000:0:0/83 accept
ip6 daddr 2606:4700:7::1000:0:0/84 accept
ip6 daddr 2606:4700:7::800:0:0/85 accept
ip6 daddr 2606:4700:7::400:0:0/86 accept
ip6 daddr 2606:4700:7::200:0:0/87 accept
ip6 daddr 2606:4700:7::100:0:0/88 accept
ip6 daddr 2606:4700:7::80:0:0/89 accept
ip6 daddr 2606:4700:7::40:0:0/90 accept
ip6 daddr 2606:4700:7::20:0:0/91 accept
ip6 daddr 2606:4700:7::10:0:0/92 accept
ip6 daddr 2606:4700:7::8:0:0/93 accept
ip6 daddr 2606:4700:7::4:0:0/94 accept
ip6 daddr 2606:4700:7::2:0:0/95 accept
ip6 daddr 2606:4700:7::1:0:0/96 accept
ip6 daddr 2606:4700:7::/97 accept
ip6 daddr 2606:4700:7::c000:0/98 accept
ip6 daddr 2606:4700:7::8000:0/99 accept
ip6 daddr 2606:4700:7::b000:0/100 accept
ip6 daddr 2606:4700:7::a800:0/101 accept
ip6 daddr 2606:4700:7::a400:0/102 accept
ip6 daddr 2606:4700:7::a000:0/103 accept
ip6 daddr 2606:4700:7::a300:0/104 accept
ip6 daddr 2606:4700:7::a200:0/105 accept
ip6 daddr 2606:4700:7::a2c0:0/106 accept
ip6 daddr 2606:4700:7::a2a0:0/107 accept
ip6 daddr 2606:4700:7::a280:0/108 accept
ip6 daddr 2606:4700:7::a290:0/109 accept
ip6 daddr 2606:4700:7::a298:0/110 accept
ip6 daddr 2606:4700:7::a29c:0/111 accept
ip6 daddr 2606:4700:7::a29e:0/112 accept
ip6 daddr 2606:4700:7::a29f:0/113 accept
ip6 daddr 2606:4700:7::a29f:c000/114 accept
ip6 daddr 2606:4700:7::a29f:a000/115 accept
ip6 daddr 2606:4700:7::a29f:9000/116 accept
ip6 daddr 2606:4700:7::a29f:8000/117 accept
ip6 daddr 2606:4700:7::a29f:8c00/118 accept
ip6 daddr 2606:4700:7::a29f:8800/120 accept
ip6 daddr 2606:4700:7::a29f:8b00/120 accept
ip6 daddr 2606:4700:7::a29f:8980/121 accept
ip6 daddr 2606:4700:7::a29f:8a80/121 accept
ip6 daddr 2606:4700:7::a29f:8900/122 accept
ip6 daddr 2606:4700:7::a29f:8a00/122 accept
ip6 daddr 2606:4700:7::a29f:8960/123 accept
ip6 daddr 2606:4700:7::a29f:8a60/123 accept
ip6 daddr 2606:4700:7::a29f:8950/124 accept
ip6 daddr 2606:4700:7::a29f:8a50/124 accept
ip6 daddr 2606:4700:7::a29f:8948/125 accept
ip6 daddr 2606:4700:7::a29f:8a48/125 accept
ip6 daddr 2606:4700:7::a29f:8944/126 accept
ip6 daddr 2606:4700:7::a29f:8a44/126 accept
ip6 daddr 2606:4700:7::a29f:8942/127 accept
ip6 daddr 2606:4700:7::a29f:8a42/127 accept
ip6 daddr 2606:4700:7::a29f:8940 accept
ip6 daddr 2606:4700:7::a29f:8a40 accept
}
chain tun {
ip saddr 172.16.0.2 accept
ip6 saddr 2606:4700:110:8ac1:21f5:87c2:8c2e:882a accept
ip6 saddr fe80::/10 accept
ip protocol tcp reject with tcp reset
reject
}
}
如何设置伪装规则,以便来自的流量通过172.17.0.0/16到达开放的互联网vpn1?